Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practices

236 views

Published on

In organizations that use DevOps practices, software changes can be deployed as fast as 500 times or more per day. Without adequate involvement of the security team, rapidly deployed software changes are more likely to contain vulnerabilities due to lack of adequate reviews. The goal of this paper is to aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment. We analyzed a selected set of Internet artifacts and surveyed representatives of nine organizations that are using DevOps to systematically explore experiences in utilizing security practices. We observe that the majority of the software practitioners have expressed the potential of common DevOps activities, such as automated monitoring, to improve the security of a system. Furthermore, organizations that integrate DevOps and security utilize additional security activities, such as security requirements analysis and performing security configurations. Additionally, these teams also have established collaboration between the security team and the development and operations teams.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
236
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Image Reference: http://www.mmatechs.com/solutions.html http://www.gartner.com/newsroom/id/2867917 Gartner: a leading software engineering research and advisory company
  • Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practices

    1. 1. 1 Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practice Akond Rahman(aarahman@ncsu.edu), and Laurie Williams Department of Computer Science, North Carolina State University
    2. 2. 2 Why Security in DevOps? • Ensuring quality even when software deployment is rapid • Adoption concerns
    3. 3. 3 Research Objective Aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment.
    4. 4. 4 Background • DevSecOps is the concept of integrating security principles through increased collaboration • We differentiate between ‘activity’, and ‘security practice’. – A DevOps activity focuses on achieving a small, well- defined goal that has a tangible output. – A security practice is a collection of activities that can be grouped based on existing similarities within those activities.
    5. 5. 5 Our Contributions • A list of DevOps activities that might have a positive and negative impact • A list of security practices and an analysis of how they are used in DevOps organizations • An analysis that quantifies the levels of collaboration
    6. 6. 6 Research Questions • RQ1: Perception. How do software practitioners perceive the integration of DevOps and security? What DevOps related activities contribute to those perceptions? • RQ2: Security Practices. What security practices are used by organizations that integrate security into DevOps?
    7. 7. 7 Methodology 66 Internet artifacts66 Internet Artifacts Nine DevOps Organizations
    8. 8. 8 RQ1: Identified Perceptions • Positive Perceptions – Use of automated monitoring – Use of automated pipeline to deploy software – Automatic deployment of software – Automatic testing of software changes – Delivering software in small increments
    9. 9. 9 RQ1: Identified Perceptions • Negative Perceptions – Use of immature automated deployment tools – Use of inappropriate software metrics – Inadequate monitoring of collaboration
    10. 10. 10 RQ2: Identified Automated Activities • Automation of Code Review • Automation of Monitoring • Automation of Software defined Firewall • Automation of Software Licensing • Automation of Testing
    11. 11. 11 RQ2: Identified Non-Automated Activities • Design Review • Input Validation • Isolation of Untrusted Inputs • Performing Compliance Requirements • Performing Security Configurations • Performing Security Policies • Security Requirements Analysis • Performing Manual Security Tests • Risk Analysis • Threat Modeling
    12. 12. 12 RQ1: Empirical Findings – Positive Aspects (Internet Artifacts) 0 1 2 3 4 5 6 7 8 9 10 Automated monitoring Automated pipeline Automated deployment Automated testing Delivering software in small increments CountofInternetArtifacts
    13. 13. 13 RQ1: Empirical Findings – Negative Aspects (Internet Artifacts) 0 1 2 Use of immature automated deployment tools Use of inappropriate software metrics Inadequate monitoring of collaboration CountofInternetArtifacts
    14. 14. 14 RQ2: Empirical Findings – Automation Practices (Internet Artifacts) 0 2 4 6 8 10 12 14 16 18 20 Automation of monitoring Automation of testing Automation of code review Automation of software licensing Automation of software defined firewall CountofInternetArtifacts
    15. 15. 15 RQ2: Empirical Findings – Non Automation Practices (Internet Artifacts) 0 1 2 3 4 5 6 Security requirements analysis Performing security configurations Performing security policies Performing manual security tests Performing compliance requirements Design review Input validation Isolation of untrusted inputs Threat modeling Risk analysis CountofInternetArtifacts
    16. 16. 16 RQ1: Empirical Findings – Positive Aspects (Survey) 0 1 2 3 4 5 6 7 8 9 Use of automated monitoring Use of automated pipeline to deploy software Automatic deployment of software Automatic testing of software changes Delivering software in small increments CountofOrganizations Yes No
    17. 17. 17 0 1 2 3 4 5 6 7 8 9 Automation of monitoring Automation of testing Automation of code review Automation of software defined firewall Automation of software licensing CountofOrganizations Yes No RQ2: Empirical Findings – Automation Practices (Survey)
    18. 18. 18 0 1 2 3 4 5 6 7 8 9 Performing security policies Performing manual security tests Input validation Performing compliance requirements Performing security configurations Risk analysis Isolation of untrusted inputs Threat modeling Design review Security requirements analysis CountofOrganizations Yes No RQ2: Empirical Findings – Non Automation Practices (Survey)
    19. 19. 19 0 1 2 3 4 5 6 7 8 9 Dev&Ops Dev&Sec Sec&Ops CountofOrganizations Lowest Low Moderate High Highest RQ2: Empirical Findings – Collaboration (Survey)
    20. 20. 20 Summary • Answer to RQ1: – A certain set of DevOps activities are perceived to be beneficial for system’s security • Answer to RQ2: – A certain set of DevOps specific automated and non-automated activities are used to implement security – Moderate to strong collaboration exists between teams
    21. 21. 21 Limitations • Incomprehensive set of Internet artifacts • Incomprehensive set of security practices • Generalizability of empirical findings • Impact of collaboration on practice usage
    22. 22. 22 Conclusion • Commonly used DevOps activities can be helpful to a system’s security. • Security teams actively collaborate with development and operations teams in established DevOps organizations. • Security awareness is prevalent amongst established DevOps organizations

    ×